---
工具名稱: dnsenum
所屬分類: Information Gathering
標簽: [dns,kali linux,dnsenum,information gathering,recon]
創建時間: 2016-10-20 11:00:00
---
0x00 dnsenum介紹
-------------
多線程perl腳本枚舉域的DNS信息并發現非連續的IP段工具
主要功能:
```plain
- 獲取主機的地址(A記錄)
- 獲取名稱服務器(線程)
- 獲取MX記錄(線程化)
- 對名稱服務器執行axfr查詢并獲取BIND VERSION(線程化)
- 通過Google抓取獲取額外的名稱和子域(google query = “allinurl: -www site:domain”)
- 讀取文件爆破子域,也可以對具有NS記錄的子域執行遞歸查詢(開啟所有線程)
- 計算C類域網絡范圍并對其執行whois查詢(線程化)
- 對網絡(C類或/和whois網絡)執行反向查找(線程化)
- 將ip段寫入domain_ips.txt文件
```
工具來源:https://github.com/fwaeytens/dnsenum
[dnsenum主頁][1] | [Kali dnsenum Repo倉庫][2]
- 作者:Filip Waeytens, tix tixxDZ
- 證書:GPLv2
0x01 dnsenum功能
---------------
```shell
root@kali:~# dnsenum -h
dnsenum.pl VERSION:1.2.3
用法:dnsenum.pl [選項] <域>
[選項]:
注意:'-f'選項是用于窮舉爆破的
一般選項:
??--dnsserver <server> 將此DNS服務器用于A,NS和MX查詢
??--enum 快捷方式選項相當于--threads 5 -s 15 -w
??-h,--help 打印此幫助消息
??--noreverse 跳過反向查找操作
??--nocolor 禁用ANSIColor輸出
??--private 顯示并在文件domain_ips.txt的末尾保存私有IP
??--subfile <file> 將所有有效的子域寫入此文件
??-t,--timeout <value> tcp和udp超時值(以秒為單位,默認值:10s)
??--threads <value> 將執行不同查詢的線程數
??-v,--verbose 詳細信息:顯示所有進度和所有錯誤消息。
Google抓取選項:
??-p,--pages <value> 抓取名稱時要處理的Google搜索頁面數,默認值為5頁,必須指定-s開關
??-s,--scrap <value> 將從Google抓取的子域的最大數量(默認值為15)
子域窮舉選項:
??-f,--file <file> 從此文件讀取子域進行爆破
??-u,--update <a|g|r|z> 向使用-f開關指定的文件更新有效的子域
a(all) 使用所有結果更新。
g 僅使用Google抓取結果更新
r 僅使用反向查找結果進行更新
z 僅使用zonetransfer結果更新
??-r,--recursion 遞歸子域,窮舉具有NS記錄的所有子域
WHOIS網絡選項:
??-d,--delay <value> 在whois查詢之間等待的最大值(秒),該值自定義,默認值:3s
??-w,--whois 在c類網絡范圍上執行whois查詢
**警告**:這可能會產生非常大的網絡流量,它需要大量的時間來執行反向查找
反向查找選項:
??-e,--exclude <regexp> 從反向查找結果中排除與regexp表達式匹配的PTR記錄,對無效主機名非常有用
輸出選項:
??-o --output <file> 以XML格式輸出,以便可以在MagicTree中導入(www.gremwell.com)
```
0x02 dnsenum用法示例
-----------------
```shell
root@kali:~# dnsenum -f possible_subdomain.txt --subfile subdomain.txt --threads 2 -w -r cuit.edu.cn
dnsenum.pl VERSION:1.2.3
Warning: can't load Net::Whois::IP module, whois queries disabled.
----- cuit.edu.cn -----
Host's addresses:
__________________
Name Servers:
______________
dns.cuit.edu.cn. 5 IN A 210.41.224.33
Mail (MX) Servers:
___________________
mailw.cuit.edu.cn. 5 IN A 210.41.224.45
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: dns2.cuit.edu.cn at /usr/bin/dnsenum line 842 thread 2.
Trying Zone Transfer for cuit.edu.cn on dns2.cuit.edu.cn ...
AXFR record query failed: no nameservers
Trying Zone Transfer for cuit.edu.cn on dns.cuit.edu.cn ...
AXFR record query failed: REFUSED
Brute forcing with possible_subdomain.txt:
___________________________________________
www.cuit.edu.cn. 5 IN A 210.41.224.132
wlzf.cuit.edu.cn. 5 IN A 210.41.225.229
acm.cuit.edu.cn. 5 IN A 210.41.225.250
wlcc.cuit.edu.cn. 5 IN A 210.41.228.67
jhcwc.cuit.edu.cn. 5 IN A 210.41.224.220
bylw.cuit.edu.cn. 5 IN A 210.41.224.237
pkxt.cuit.edu.cn. 5 IN A 210.41.229.132
pan.cuit.edu.cn. 5 IN A 210.41.224.210
dzgcxy.cuit.edu.cn. 5 IN A 210.41.224.220
kzgcxy.cuit.edu.cn. 5 IN A 210.41.224.220
yjsc.cuit.edu.cn. 5 IN A 210.41.225.22
hqc.cuit.edu.cn. 5 IN A 210.41.224.220
wpgz.cuit.edu.cn. 5 IN A 210.41.229.135
jszx.cuit.edu.cn. 5 IN A 210.41.225.21
xyw.cuit.edu.cn. 5 IN A 210.41.224.220
gjjl.cuit.edu.cn. 5 IN A 210.41.224.220
math.cuit.edu.cn. 5 IN A 210.41.224.220
jwc.cuit.edu.cn. 5 IN A 210.41.225.108
jxpt.cuit.edu.cn. 5 IN A 210.41.228.119
wlcc.cuit.edu.cn. 5 IN A 210.41.228.67
xsc.cuit.edu.cn. 5 IN A 210.41.224.206
exam.cuit.edu.cn. 5 IN A 222.18.158.220
Performing recursion:
______________________
---- Checking subdomains NS records ----
Can't perform recursion no NS records.
cuit.edu.cn class C netranges:
_______________________________
210.41.224.0/24
210.41.225.0/24
210.41.228.0/24
210.41.229.0/24
222.18.158.0/24
Performing reverse lookup on 1280 ip addresses:
________________________________________________
34.224.41.210.in-addr.arpa. 86400 IN PTR dnsu.cuit.edu.cn.
36.224.41.210.in-addr.arpa. 86400 IN PTR dns.cuit.edu.cn.
40.224.41.210.in-addr.arpa. 86400 IN PTR jwc.cuit.edu.cn.
130.224.41.210.in-addr.arpa. 86400 IN PTR www.cuit.edu.cn.
131.224.41.210.in-addr.arpa. 86400 IN PTR ftp.cuit.edu.cn.
130.224.41.210.in-addr.arpa. 86400 IN PTR dep.cuit.edu.cn.
206.224.41.210.in-addr.arpa. 86400 IN PTR xsc.cuit.edu.cn.
```
[1]: https://github.com/fwaeytens/dnsenum
[2]: https://github.com/fwaeytens/dnsenum
- Information Gathering
- acccheck
- ace-voip
- Amap
- Automater
- bing-ip2hosts
- braa
- CaseFile
- CDPSnarf
- cisco-torch
- Cookie Cadger
- copy-router-config
- DMitry
- dnmap
- dnsenum
- dnsmap
- DNSRecon
- dnstracer
- dnswalk
- DotDotPwn
- enum4linux
- enumIAX
- Fierce
- Firewalk
- fragroute
- fragrouter
- Ghost Phisher
- GoLismero
- goofile
- hping3
- InTrace
- iSMTP
- lbd
- Maltego Teeth
- masscan
- Metagoofil
- Miranda
- nbtscan-unixwiz
- Nmap
- ntop
- p0f
- Parsero
- Recon-ng
- SET
- smtp-user-enum
- snmp-check
- sslcaudit
- SSLsplit
- sslstrip
- SSLyze
- THC-IPV6
- theHarvester
- TLSSLed
- twofi
- URLCrazy
- Wireshark
- WOL-E
- Xplico
- Vulnerability Analysis
- BBQSQL
- BED
- cisco-auditing-tool
- cisco-global-exploiter
- cisco-ocs
- cisco-torch
- copy-router-config
- Doona
- Exploitation Tools
- Wireless Attacks
- Ghost-Phisher
- mfoc
- Forensics Tools
- Binwalk
- bulk-extractor
- Web Applications
- apache-users
- BurpSuite
- sqlmap
- w3af
- Sniffing-Spoofing
- Bettercap
- Burp Suite
- DNSChef
- Fiked
- hamster-sidejack
- HexInject
- Password Attacks
- crunch
- hashcat
- John the Ripper
- Johnny
- Hardware Hacking
- android-sdk
- apktool
- Arduino
- dex2jar
- Sakis3G
- Reverse Engineering
- apktool